Authorize ADFS roles in mvc

Similar Messages

• ADFS and SharePoint Integration: How to use ADFS Roles?

  Hello,
  I've successfully integrated SharePoint with ADFS2 and users can login by ADFS. One of the claims mapping in ADFS and SharePoint is SAM-Account-Name->Windows account name.
  Is there any guideline how to grant a permission to an specific role? For example I want to grand read access to an specific list to a specific AD group called "ListReaders"
  A link to an online article explains how to use ADFS Roles in SharePoint would be a great help.
  Thank you,

  Hi Allan,
  According to your description, my understanding is that grant permission to ADFS roles.
  Please refer to “A Fellows” last suggestion to grant permission to ADFS roles in the link below:
  http://social.technet.microsoft.com/Forums/en-US/4d5ee453-1447-4d14-b297-33c27ef2c24d/permissions-using-adfs-roles?forum=sharepointadmin
  More reference:
  http://www.css-security.com/blog/claims-based-authentication-and-authorization-with-adfs-2-0-and-sharepoint-2010/
  Thanks,
  Victoria
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Victoria Xia
  TechNet Community Support

• How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

  How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
  1- Creation of Ztcode ZVL32N and do changes ABAP program level
  2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

  I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

• MSS (non-webdynpro) Authorizations and Roles

  Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system?  I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.

  Umair,
  I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
  Thanks, John

• Regarding Authorizations and Roles

  Hi All,
  Can anyone explain me about Authorizations and Roles ,in detail.
  regards,
  Ali

  Links for Learning about Authorizations:
  http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
  http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
  http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
  Links to learn about Roles:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
  Assign points if helpful,
  Venkat

• Authorization or roles assign?

  Hi All,
  I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
  are not authorized to view the requested resource 403 forbidden".
  What all the authorizations and roles i need to set for every user.
  Regards,
  Rohit

  Error: HTTP 403 Forbidden
  Description: The server understood the request, but is refusing to fulfill it
  Possible Tips:
  Path sap/xi/engine not active
  • HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
  • Because of Inactive Services in ICF –Go to SICF transaction and activate the services. Refer SAP Note -517484
  • Error in RWB/Message Monitoring- because of J2EE roles – Refer SAP Note -796726
  • Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. –Because of the URL is incorrect or the adapter is not correctly deployed.
  <i>From
  /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  Regards,
  Prateek

• Authorizations & Business roles for ITSM

  Dears,
  i would like to ask whoever implemented an ITSM as a service desk for an IT organization, after setup the Organizational Structure (Organizational Model) and setup the Organizational Unit  (Sold To Part) and Org. Object (Support team).
  what is the best approach to give Authorizations & Business roles for :
  1) new employee joined the company as an End User (Requester).
  2) new employee joined the company as one of the IT Help desk (Dispatcher, Processor....etc.)
  Regards,
  Yazeed

  HI Shikha,
  i hope you are assigning the Role to the Position cretaed in your org model.
  That is by navigating thru
  GO TO-DETAIL OBJECT-ENHANCED DETIAL DESCRIPTION-By creating new infotype for Business Role
  here one can assign the Business Role with the position.
  In case you are not assigning by above mentioned way. Try to do so. Hope this will help.
  Vijayata

• How to achieve logical operator on [Authorize(Roles = ] in MVC

  For example, I need to make a controller accessible a user with two roles; role "Admin" and "Editor". How to achieve it.
     [Authorize(Roles = "Admins")]
      public class SampleController : BaseController
  How to do logical operator, such as AND and OR (maybe || and &&)
  Thanks!
    

  Hello klouapple,
  Please post your question to ASP.NET forum instead of here.
  Best regards,
  Barry
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Report to check the open authorization in Roles

  Hi All,
  Is there any standard SAP report or option to find out the list of roles with open authorizations(auth data incomplete) in the R/3 system?
  We are on R/3 4.7.
  Thanx
  Balaji Srinivas

  I've found a solution on netweaver 2004 for which I think does work on 4.7 as well:
  Use SE16 to get the data from tables AGR_1251 and AGR1252 with the following selection criteria:
  For the "LOW" field open the selection subscreen, go to "exclude ranges" and in the lower limit you enter "#!" where the exclamation mark is the lowest in the ascii range (character 33) and the hash is there to escape any special meaning so SE16 will accept it. In the "upper limit" enter "ÿ", character 255. Now you've told the system not to return any row with a valid ascii character in the "LOW" field for the objects.
  You may want to filter for "DELETED" <> "X" as well in AGR_1251.
  Hope this helps
  Jurjen

• How to determine ADF roles a user is in - before fully authenticated

  [JDev/ADF v11.1.1.5.0]
  I am trying to intercept a user's login to our ADF application (to log it to a database). I have written a custom login page and backing bean to handle the login using:
  mySubject = login(this._username, this._password);
  HttpServletRequest request = (HttpServletRequest)ctx.getExternalContext().getRequest();
  ServletAuthentication.runAs(mySubject, request);
  ServletAuthentication.generateNewSessionID(request);
  // determine what ADF 'Application Roles' the user has
  // log to database here
  // ... [code removed] ...
  HttpServletResponse response = (HttpServletResponse)ctx.getExternalContext().getResponse();
  RequestDispatcher dispatcher = request.getRequestDispatcher("/adfAuthentication");
  dispatcher.forward(request, response);
  What I need to do, however, is determine what roles a user has in the app, at the "???" point in the above code. If I interrogate the 'mySubject' object, it lists the groups from our authentication source that the user is a member of. In ADF Security, I've mapped these "Enterprise Roles" to "Application Roles", and need to get access to the Application Roles before redirecting them to the adfAuthentication servlet.
  I've tried using ADFContext.getCurrent().getSecurityContext().getUserRoles() where the '// ???' is, but it returns the 'anonymous' user (and associated roles). It appears that even though I've switched to runAs the authenticated user (via ServletAuthentication.runAs), ADF still thinks I'm running as the initial (anonymous) user.
  Is there a way to tell ADF to 'refresh' who it thinks I am now, so it will see me as the (now-authenticated) user, with their roles, etc.? Or, is there some other way to determine what (Application) roles a user has given their username?
  Thanks!
  Edited by: Karl C on Nov 27, 2012 12:28 PM

  Just checked code.
  Sorry, in our code we test enterprise roles(and not application roles) because we are using ReadOnlySqlAuthenticator to retrieve db users/roles.
  Set<Principal> allPrincipals = mySubject.getPrincipals();
  for (Principal principal : allPrincipals) {
        if(principal instanceof WLSGroupImpl ) {
             roles.add(principal.getName());
  }Dario

• Check users authorizations and role

  Hello!
  How can I check the authorizations of
  Web Dynpro application users and also his role.
  Thanks
  rgds
  sas

  HI,
  Pl go through Following link
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
  https://help.sap.com/javadocs/index.html
  use the method isMemberOfRole.
  Regards
  Ayyapparaj

• Authorizations and roles

  Hi all!!
  Im creating an authorization object; for restrict some key figures of infocube.
  I want to restrict only four or five key figures for one cube and the user can see all the characteristics; is possible to do this??
  I found this way; but really is not that I want:
  I created an authorization object; that contains for example: 0material and Key fig.
  In transaction PFCG in the role; i go the authorization and include the object that I created and put the values * for material and the key figure that I want to see.
  But I want that the user can see all the chars; no necessarily 0material and hide some key figures.
  Thanks for the answer,
  Greetings,
  Monica

  Hi!!
  Thanks for the answer
  When I do this; and execute the query; I can see all the key figures; (they are in the area of columns) and for example I dont want to see one of them.
  Im not sure If Im doing something wrong.
  I followed this steps:
  1. I created in RSSM and authorization object with only 1KYFNM
  2. In PFCG I added to the role the object that I have created and put in the values of ratio; the ratios that I want to see.
  3. I actualizated the roles for the user.
  Then I executed the query and I see all the KF; I dont have any authorization variable in the query because I want that applied for all the chars.
  Thanks again,
  Mónica

• Org Level Roles / Authorization Object Roles

  Hi board,
  I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
  The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
  My questions are:
  - Is it technically feasible (for a large-scale company)?
  - What is your experience?
  - Drawbacks?
  Kind regards and many thanks for your help,
  Richard

  Richard Hösl wrote:
  > Hi there,
  >
  > that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful. 
  >
  > Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
  >
  > Kind regards,
  >
  > Richard
  Hi Richard,
  It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
  A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions.  That bucket invariably contains more authorisations than the transactions require.  Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
  If you have organisational complexity then you should look elsewhere to simplify. 
  By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
  Put the effort in the design stage and it will pay dividends later on down the line. 
  Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
  Cheers
  Alex

• Authorizations: Dynamic roles

  Hello everybody,
  We are going to migrate our authorizations from 3.x concept to BI-7.
  With the new concept we are compelled to respect certain requirements like to include into the single user profile every InfoObject “AuthorizationRelevant” (that are also built-in into the InfoProvider, indented for the future analysis).
  -     Certain users had only one dynamic role. In such a case we are able to restrict for instance:
  o     0CO_AREA = a value;
  o     every other InfoObject “AuthorizationRelevant” = “*” (every single values)
  -     Certain users had two or more dynamic roles; in such a case we are supposed to:
  o     ROLE 1: 0CO_AREA = a value; every other InfoObject “AuthorizationRelevant”, for instance 0COMANY_CODE  = “*” (every single values)
  o     ROLE 2: 0COMANY_CODE = a value; every other InfoObject “AuthorizationRelevant”, for instance 0CO_AREA = “*” (every single values)
  In this particular case though we expect that the system will ignore our restrictions because it is adding the two roles in fact:
  ROLE 1 is set: 0CO_AREA = a value;
  ROLE 2 is set: 0CO_AREA = “*”.
  Base on what we just described above, here they are our questions:
  1.     Does exist a symbol (for instance “:”   “>”) that we can assigned to every InfoObject “AuthorizationRelevant” in order to cheat the system making it understand that it is there but not relevant for the authorizations (instead using “*”)?
  2.     If not can you please suggest us another way to cope with the problem of having for a user more dynamic roles assigned.
  Thank you very much
  Matteo Mariniello

  Hello,
  I don't have a solution but I think I understood Matteo's goal which is not at all to authorized users to do anything they want to.
  He wants to restrict certain tasks but when it comes for a user to have two or more dynamic roles the addition of them make the restriction useless.
  As he said
  Dynamic Role 1)
  0CO_AREA = a value
  0COMP_CODE= *
  Dynamic Role 2)
  0CO_AREA = *
  0COMP_CODE= A VALUE
  Therefore; the addition of them for ONE user is going to make the restrictions
  0CO_AREA = a value
  0COMP_CODE= a value
  USELESS!!
  Take Care
  Domenico

• Authorizations in role creation

  hi,
            any body can help me. in which table the status of maintained, changed, satandard is available. suppose when we change the filedvalues of one object it will be maintained in one table and shows the changed and maintained status flags in display autorizations screen of role. help me.

  Hi Mukka
  Hope it will help you.
  reward if help.
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Sy-SUBRC values
  4              User has no authorization in the SAP System for
                 such an action. If necessary, change the user
                 master record.
  8              Too many parameters (fields, values). Maximum
                 allowed is 10.
  12             Specified object not maintained in the user
                 master record.
  16             No profile entered in the user master record.
  24             The field names of the check call do not match
                 those of an authorization. Either the
                 authorization or the call is incorrect.
  28             Incorrect structure for user master record.
  32             Incorrect structure for user master record.
  36             Incorrect structure for user master record.